Zap integrated in azure devops but not collecting all the report

202 views
Skip to first unread message

bharath kumar

unread,
Feb 6, 2024, 5:04:36 AM2/6/24
to ZAP User Group
Hi Team,

Im using Zap in my current project as docker container but its not providing all the report.

How can i come to know crawl url for the main url, if password field asking enter passord which should give in report.

If any sensitive information exposed in html page it should provide but no.

below is the command im using.

taskCmdLine@2
      displayName'OWASP Application Scan'
      inputs:
        script: |
          echo "Scanning qa-url for $(Build.SourceBranch)"
          chmod -R 777 ./
          ls -ltr
          pwd
          echo "
          def zap_ajax_spider(zap, target, max_time):
              zap.ajaxSpider.set_option_max_crawl_depth(100)
              return zap, target, max_time
          " > my-hooks.py
          ls -ltr
          cat my-hooks.py
          docker pull owasp/zap2docker-weekly
          #docker run --rm -v $(pwd):/zap/wrk owasp/zap2docker-weekly zap-baseline.py -t $(qaUrl) -r "owasp_report.html" -x "owasp_report.xml" -g "owasp_report.json" -j -a
          #docker pull ghcr.io/zaproxy/zaproxy:stable
          docker run --rm -v $(pwd):/zap/wrk -t ghcr.io/zaproxy/zaproxy:latest zap-full-scan.py -t $(qaUrl) -r "owasp_report.html" -x "owasp_report.xml" -g "owasp_report.json" -j -a -g gen.conf --hook=my-hooks.py

bharath kumar

unread,
Feb 6, 2024, 5:20:30 AM2/6/24
to ZAP User Group
docker run --rm -v $(pwd):/zap/wrk -t ghcr.io/zaproxy/zaproxy:latest zap-full-scan.py -t https://alpha.com/ -r "owasp_report.html" -x "owasp_report.xml" -g "owasp_report.json" -j -a -g gen.conf --hook=my-hooks.py

Simon Bennetts

unread,
Feb 6, 2024, 5:52:01 AM2/6/24
to ZAP User Group
It sounds like you need to configure ZAP to handle authentication.

Cheers,

Simon

bharath kumar

unread,
Feb 6, 2024, 6:01:35 AM2/6/24
to ZAP User Group
No i want to collect report accurately, and whatever the sub urls it scanning i want those in report.

Its scanning 5 urls only even i have defined depth 100 also.

Recently we got expose password in html page but in the report no where it catched.

If we use Docker for ZAP any limitation are there, or need to integrate anything get full report.

bharath kumar

unread,
Feb 6, 2024, 6:07:45 AM2/6/24
to ZAP User Group
Do we need to pass the user name and password as well to scan the application , if the app have user name and password.

If the application require to enter the user name and password how can i pass in that given docker command.

Simon Bennetts

unread,
Feb 6, 2024, 6:08:45 AM2/6/24
to ZAP User Group
"its complicated" - for lots of very good reasons.

If auth auto detection works for you then your life will be easier.

bharath kumar

unread,
Feb 6, 2024, 6:14:19 AM2/6/24
to zaprox...@googlegroups.com
Without passing the credentials it won’t scan the URL 

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/7c2c9d1e-1f99-43a3-a10b-6a7bbbe135ban%40googlegroups.com.

Simon Bennetts

unread,
Feb 6, 2024, 6:17:10 AM2/6/24
to ZAP User Group
I get that.
We have lots of documentation on how you can get ZAP to handle authentication.

But you need to read it...

bharath kumar

unread,
Feb 6, 2024, 6:21:08 AM2/6/24
to zaprox...@googlegroups.com
I’m asking is it required or not, if required then in docker how handle

--
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

Simon Bennetts

unread,
Feb 6, 2024, 6:22:50 AM2/6/24
to ZAP User Group
Have you read the docs?

bharath kumar

unread,
Feb 6, 2024, 6:42:55 AM2/6/24
to zaprox...@googlegroups.com
In web page html source code aws secret key has been exposed can you confirm why it’s not captured in the report 

Simon Bennetts

unread,
Feb 6, 2024, 6:46:15 AM2/6/24
to ZAP User Group
I dont think we look for AWS secret keys.
That could be a good addition.
Does anyone know of a good set of regexes for secret keys?

Cheers,

Simon

bharath kumar

unread,
Feb 7, 2024, 4:17:15 AM2/7/24
to ZAP User Group
Getting below error while scaning why 712559 [ZAP-IO-2-2] ERROR org.zaproxy.addon.network.internal.handlers.ServerExceptionHandler - java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
ERROR HTTPConnectionPool(host='localhost', port=42993): Max retries exceeded with url: http://zap/JSON/spider/view/status/?scanId=0 (Caused by ProxyError('Cannot connect to proxy.', RemoteDisconnected('Remote end closed connection without response')))

kingthorin+zap

unread,
Feb 7, 2024, 1:26:03 PM2/7/24
to ZAP User Group
.... because Java exhausted the memory available to it.

bharath kumar

unread,
Feb 8, 2024, 12:54:55 AM2/8/24
to ZAP User Group
Hi

We have preprod url and prod url when running the zap on both url's

Prod covered - Total of 380 URLs

Pre-prod covered - Total of 9 URLs 

any specific reason why its covering like that.


Simon Bennetts

unread,
Feb 8, 2024, 4:10:25 AM2/8/24
to ZAP User Group
Yeah, because it ran out of memory.
Increase the memory available and try again.

Cheers,

Simon

bharath kumar

unread,
Feb 8, 2024, 4:21:35 AM2/8/24
to ZAP User Group
After i have resolve the issue im getting like , even that issue was in prod url.

why preprod - running on 5 url , when prod running on 380 urls
doubt
Preprod : -  bcz of unauthorized it cant cover all the url to scan ?
 if so im passing username and password why its not scanning

doubt 2:
in report what all are url's scanning how can i get the url name in report when running with docker container. if 380 url i need in report

Total of 5 URLs
WARN-NEW: Strict-Transport-Security Disabled [10035] x 4
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
Total of 5 URLs
WARN-NEW: Strict-Transport-Security Disabled [10035] x 4
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
Total of 5 URLs
WARN-NEW: Strict-Transport-Security Disabled [10035] x 4
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
Message has been deleted

bharath kumar

unread,
Feb 8, 2024, 6:26:12 AM2/8/24
to zaprox...@googlegroups.com
Can’t find anything thing in the link it’s showing my conversion only.

Message has been deleted

bharath kumar

unread,
Feb 8, 2024, 6:36:52 AM2/8/24
to zaprox...@googlegroups.com
Can u tell me how to pass the authentication with username and password to below command 

docker run --rm -v $(pwd):/zap/wrk -t ghcr.io/zaproxy/zaproxy:latest zap-full-scan.py -t https://alpha.com/ -r "owasp_report.html" -x "owasp_report.xml" -g "owasp_report.json" -j -a -g gen.conf --hook=my-hooks.py

Simon Bennetts

unread,
Feb 8, 2024, 6:44:45 AM2/8/24
to ZAP User Group
Not easily no.
Thats because I have no idea how authentication works for your app.

Luckily we have lots of docs available - see https://www.zaproxy.org/docs/authentication/

Cheers,

Simon

bharath kumar

unread,
Feb 8, 2024, 6:59:27 AM2/8/24
to ZAP User Group
To access any application with username and password how can i pass to login page for the url in cmdline

docker run --rm -v $(pwd):/zap/wrk -t ghcr.io/zaproxy/zaproxy:latest zap-full-scan.py -t https://alpha.com/ -r "owasp_report.html" -x "owasp_report.xml" -g "owasp_report.json" -j -a -g gen.conf --hook=my-hooks.py
from the documentation cant find the way to pass login credential to docker 

Simon Bennetts

unread,
Feb 8, 2024, 7:02:55 AM2/8/24
to ZAP User Group
Dont try to do that straight away, its almost bound to fail.
You need to get authentication working via the ZAP desktop first, then we can worry about automating it.
First check to see if ZAP Auto Detection works: https://www.zaproxy.org/docs/authentication/auto-detection/

bharath kumar

unread,
Feb 8, 2024, 7:12:05 AM2/8/24
to ZAP User Group
In the below github repo given some command to pass authentication can i do as, will it work instead of using desktop 

https://github.com/ICTU/zap2docker-auth-weekly

docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j \
  -t https://demo.website.net \
  -r testreport.html \
  --hook=/zap/auth_hook.py \
  -z "auth.loginurl=https://demo.website.net/login/index.php \
      auth.username="admin" \
      auth.password="sandbox""

Simon Bennetts

unread,
Feb 8, 2024, 7:41:37 AM2/8/24
to ZAP User Group
Just start with the auth tester dialog, as explained on https://www.zaproxy.org/docs/authentication/auto-detection/

bharath kumar

unread,
Feb 9, 2024, 4:09:43 AM2/9/24
to zaprox...@googlegroups.com
I can’t understand how they used authentication mechanism in docker run command to scan url.

As per my understanding do we need to generate one context file then we have to use that in docker run commands is it correct?

thc...@gmail.com

unread,
Feb 12, 2024, 3:04:41 AM2/12/24
to zaprox...@googlegroups.com
It depends what you use, if you use the Automation Framework you just
need to specify the plan once configured with authentication.
https://www.zaproxy.org/docs/automate/automation-framework/

Best regards.
>>>>>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/c2830095-6475-4c09-aac8-993896037bacn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> You received this message because you are subscribed to the
>>>>>>>>>>>>>>>> Google Groups "ZAP User Group" group.
>>>>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails
>>>>>>>>>>>>>>>> from it, send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To view this discussion on the web visit
>>>>>>>>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/5b679c53-f169-4bba-8c6c-445766bd9b21n%40googlegroups.com
>>>>>>>>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/5b679c53-f169-4bba-8c6c-445766bd9b21n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>>>>>>>>> .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "ZAP User Group" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to zaproxy-user...@googlegroups.com.
>>>>>>>>> To view this discussion on the web visit
>>>>>>>>> https://groups.google.com/d/msgid/zaproxy-users/7413b138-9bf5-4971-b530-589e5181b2b0n%40googlegroups.com
>>>>>>>>> <https://groups.google.com/d/msgid/zaproxy-users/7413b138-9bf5-4971-b530-589e5181b2b0n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "ZAP User Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to zaproxy-user...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/zaproxy-users/b867a038-21cf-46b6-b1ec-eed75431cc56n%40googlegroups.com
>> <https://groups.google.com/d/msgid/zaproxy-users/b867a038-21cf-46b6-b1ec-eed75431cc56n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
Reply all
Reply to author
Forward
0 new messages